Leo Gaspard

**Name of the Vulnerable Software and Affected Versions** PHP versions prior to 5.5.32 PHP versions 5.6.x prior to 5.6.18 PHP versions 7.x prior to 7.0.3 **Description** The issue arises from insufficient input validation in the `stream get meta data` function, allowing an attacker to control the return values if the input can be controlled, such as during file uploads. For instance, a call like `$uri = stream get meta data(fopen($file, "r"))['uri']` can mishandle cases where `$file` is set to `data:text/plain;uri=eviluri`, enabling an attacker to set metadata. This can potentially impact the integrity of information. **Recommendations** For PHP versions prior to 5.5.32, update to version 5.5.32 or later. For PHP versions 5.6.x prior to 5.6.18, update to version 5.6.18 or later. For PHP versions 7.x prior to 7.0.3, update to version 7.0.3 or later.

**Name of the Vulnerable Software and Affected Versions** Qemu (affected versions not specified) **Description** The issue is related to an improper access control problem in Qemu when built with VirtFS and 9pfs support. It occurs when accessing virtfs metadata files in mapped-file security mode, potentially allowing a guest user to escalate their privileges inside the guest. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.